Zerodha CEO Nithin Kamath Takes Stand Against Invasive Banking App Permissions
In a striking revelation that has sparked widespread discussion in financial and tech circles, Zerodha co-founder and CEO Nithin Kamath has publicly declared that he does not use internet banking applications on his smartphone. The prominent entrepreneur's decision stems from a fundamental criticism of how Indian banks approach mobile security, particularly regarding the permissions their apps demand from users.
Questioning Mandatory Permissions That "Make No Sense"
Kamath articulated his concerns in a detailed post on X (formerly Twitter), where he questioned the logic behind the extensive permissions required by most banking applications. "I don't use net banking apps on my phone because the mandatory permissions they ask for make no sense," Kamath stated emphatically. He highlighted that requiring such invasive device access actually contradicts established global cybersecurity best practices rather than enhancing security.
The Zerodha chief specifically pointed to the cybersecurity standard known as the Principle of Least Privilege (PoLP) – the foundational concept that any application or system should only access what is strictly necessary to perform its intended function. "Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security, when not seeking invasive device permissions is, in fact, the global benchmark for cybersecurity. This is called the Principle of Least Privilege (PoLP)," Kamath elaborated in his social media commentary.
Zerodha's Contrasting Approach: Zero Permissions on Kite App
Kamath drew a sharp contrast between conventional banking applications and how his own company has architected its trading platform. He noted that Kite, Zerodha's flagship mobile application for trading, requests zero permissions from users – a deliberate and conscious design choice that reflects the company's core philosophy. "Don't do unto others what you don't want done unto you," Kamath said, describing this as a founding principle at Zerodha that guides their product development approach.
"This is exactly why we've built Zerodha the way we have. Kite asks for ZERO permissions on mobile, for instance, and this is one of the big reasons why millions of people trust us," Kamath explained. He credited SEBI's mandatory strong two-factor authentication framework for enabling this balanced approach, noting that regulatory requirements have struck the right equilibrium between security and privacy. "What has enabled us is SEBI's mandatory strong two-factor authentication framework to strike the right balance between security and privacy," he added, emphasizing that it's possible to build secure financial platforms without resorting to invasive data collection practices.
Broader Implications for Digital Banking Security
Kamath's comments come at a time when digital banking adoption in India continues to accelerate rapidly, with millions of users relying on mobile applications for their daily financial transactions. His critique raises important questions about:
- The balance between security requirements and user privacy
- Whether current permission structures in banking apps are truly necessary
- How financial institutions can implement robust security without compromising user data
- The role of regulatory frameworks in shaping security practices
The discussion initiated by Kamath has resonated with many users who have expressed similar concerns about the extensive permissions demanded by various financial applications. As one of India's most successful fintech entrepreneurs, his perspective carries significant weight in both the technology and financial sectors, potentially influencing how companies approach application security and privacy considerations moving forward.
